summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/nixos/defaults/security.nix16
1 files changed, 14 insertions, 2 deletions
diff --git a/modules/nixos/defaults/security.nix b/modules/nixos/defaults/security.nix
index 65ce729..8d7d879 100644
--- a/modules/nixos/defaults/security.nix
+++ b/modules/nixos/defaults/security.nix
@@ -1,12 +1,24 @@
-# Much of this is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
{ lib, ... }:
+
+# Much of this is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
{
security = {
apparmor.enable = lib.mkDefault true;
audit.enable = lib.mkDefault true;
auditd.enable = lib.mkDefault true;
+
+ pam.services = {
+ # Fix `run0`
+ # TODO: Upstream?
+ systemd-run0 = {
+ startSession = true;
+ setEnvironment = true;
+ };
+ };
+
polkit.enable = true;
- sudo.execWheelOnly = true;
+
+ sudo.enable = false;
};
services.dbus.apparmor = lib.mkDefault "enabled";
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 13:24:25 +0000